If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

New Wireless security device creates "noise" around WAPs.
Although wardriving is still gaining in popularity and is exposing countless hundreds of unsecured networks.

Yet another MS patch, this one for the digital certificate vulnerability. (what else is new)

Intel decides to join MS in the Palladium effort.

INTERVIEW: Kevin Mitnick on Social Engineering.

Well, thats about it for this week.

PS... I would like to get some discussion going on in these threads. If you see a topic in here that you want to comment on feel free too.

Oh and feel free to bump this thread at will. It will usually die off after the week is over. Its always good to have the news on the front page. I know many have missed it from week to week. The past weeks threads you can find at the bottom of the page.

--7 September 2002 LLNL Hacker Gets House Arrest and Community
Service
Benjamin Troy Breuninger of Minnesota will serve six months under house
arrest and give 400 hours of his time to community service as a penalty
for breaking into a computer system at Lawrence Livermore National
Laboratory. He will also have to pay $20,000 in restitution. He was
convicted of causing damage in excess of $32,000. The judge in the
case did not give the harshest sentence because, authorities say,
Breuninger did not access classified information and he apologized,
accepted responsibility for his actions and was cooperating with
authorities, including telling the Laboratory how he broke in.http://www.bayarea.com/mld/cctimes/l...ce/4022958.htm

--5 September 2002 Microsoft VP Not Proud of Company's Security
Brian Valentine, senior VP in charge of the Windows development team,
told a gathering of attendees of Microsoft's Windows .Net Server
developer conference that the company has not done everything it could
to protect customers because Microsoft products are not designed
for security. Valentine observed that security is a problem that
will never be solved because as concerns are addressed, hackers will
devise new methods. He also pointed out that all major operating
systems have security problems.http://www.infoworld.com/articles/hn...hnmssecure.xml
[Editor's Note (Northcutt): Commercial operating system vendors,
with Microsoft at the lead, have focused on features, not system and
security engineering. Users have begun to realize they are sitting on
a time bomb when they try to use Windows operating systems in commerce.
Watch for early adopters of .NET to get hammered, as well. This is
what drove the community to develop the Gold Standard to harden
Windows 2000:http://www.fcw.com/fcw/articles/2002...n-07-22-02.asp
and gold standard course schedule is at:http://www.sans.org/Win2KWorldTour/win2K.php]

--26 August 2002 Federal Security Dollars Spent on OMB Reports
Instead Of Fixing Security
Much of the money earmarked for making improvements in computer
networks at federal agencies actually goes to preparing reports for
Congress and the Office of Management and Budget (OMB). The OMB says
the gathered data will help support requests for increased resources
to address security; however, even if agencies complete the entire OBM
checklist, it does nothing to guarantee the security of their systems.http://federaltimes.com/index.php?S=1072569

STORIES ILLUSTRATING THE LACK OF SECURITY AWARENESS AND ITS IMPACT

--7 & 9 September 2002 Microsoft: Windows 2000 Attacks Due to
Improper Lockdown
Microsoft has issued an advisory stating that the attacks on servers
running Windows 2000 were the result of hackers taking advantage of
inadequately locked down machines rather than exploiting a security
hole. Microsoft said the attacked servers had blank or weak passwords,
and it recommends that customers address the password problem, disable
guest accounts, install firewalls, keep up to date with security
patches and run anti-virus software. The attacks were designed to
load a Trojan onto the server.http://zdnet.com.com/2100-1105-957159.htmlhttp://www.theregister.co.uk/content/55/27007.html
Microsoft advisory:http://support.microsoft.com/default...;en-us;q328691

--9 September 2002 Wardriving Reveals Lack of LAN Security
A week-long worldwide wardrive revealed that many wireless LANs (local
area networks) don't employ even basic security. A New Jersey-based
company is selling complete wardriving kits. A consultant for the
company observed that wardriving is legal and has legitimate uses.http://www.computerworld.com/mobilet...,74103,00.htmlhttp://www.computerworld.com/mobilet...,74102,00.html
[Editor's Note (Murray): it is legal to look in your neighbor's open
window but nice people do not do it. There is no more corrupting idea
than the current one that that which is legal is, ipso facto, ethical.]

--7 September 2002 City Employee Opens Hard Drive to Kazaa Network
An Aspen, Colorado city employee who had installed Kazaa peer-to-peer
file sharing software on his work computer inadvertently made
his entire hard drive available to the network. The problem was
discovered by Canadian Kazaa member James Pocock, who e-mailed the
employee as well as the city's mayor and police chief about the
information he'd been able to view. The city has changed passwords
and installed a new firewall.http://www.denverpost.com/Stories/0,...43149~,00.html

LOL... How dumb can you get? Well, this just goes to show that internal security is just as important (if not more) as outside security.

--4 September 2002 Mitnick Describes Social Engineering Tactics
Kevin Mitnick describes how companies leave themselves vulnerable
to socially engineered cyber attacks: corporate culture and terrain
can be discerned by examining documents found in trash cans, and
help desk personnel are often easily tricked into handing over login
names and passwords over the phone. Furthermore, if CEOs make a habit
of ignoring security policies and procedures when they want a task
accomplished quickly, this too can be exploited.http://www.infoconomy.com/pages/news...group66338.adp

[Editor's Note (Northcutt): This note applies to all four of the
preceding stories. If you agree there is a security awareness problem
of epidemic proportions and want to make a difference, please help with
SANS new project in security awareness. It turns out to be incredibly
difficult to create powerful, believable security awareness training,
that appeals to administrative workers as well as the system and
network administrators who are some of the worst offenders. After two
years of research, we have a tool that seems to work. True stories
of the impact of security breaches, written in the first person,
are the most effective tools to actually change behavior. If you
would like to be involved in this consensus research project, contactawareness@sans.org]

THE REST OF THE WEEK'S NEWS

--9 September 2002 September 11th Renews Commitment to Security
in the Workplace
The September 11 terrorist attacks have changed some businesses'
attitudes toward security. Companies have reevaluated their security
policies and disaster preparedness plans and employees are more aware
of the importance of security in their workplaces.http://www.computerworld.com/managem...,74049,00.html

--9 September 2002 Philippine Phreaking Bust
Philippine police arrested three men in connection with a ring
believed to be responsible for hacking into the Philippine Long
Distance Telephone Company's computers and selling phone time.
If convicted, each of the men faced a six-year prison sentence and
a fine of almost $2,000. The arrests were made in accordance with
the Philippines' e-Commerce law, which was passed after the Love Bug
author escaped prosecution because there was no applicable law.http://story.news.yahoo.com/news?tmp...s_arrests_dc_1http://www.manilatimes.net/national/...20910top3.html

--9 September 2002 Intel Hardware will Integrate Security
Intel plans to integrate security features into its new chips and
other hardware. The features will work with Microsoft's Palladium.http://www.msnbc.com/news/805877.asp?0dm=C15JT

--9 September 2002 Venezuelan CD Pirates Sold Confidential Data
Two people have been arrested in Caracas, Venezuela for their roles
in a CD piracy trade that included confidential phone company records
and police files.http://www.ds-osac.org/edb/cyber/new...y.cfm?KEY=8953

--6 September 2002 Spammers Use Unprotected Wireless Networks to
Wield their Wares
A consultant claims spammers are taking advantage of unsecured
wireless network access points and use the victim company's system
to send out unsolicited e-mail.http://news.com.com/2100-1033-956911.html

--5 September 2002 Biometrically Secured Airport Lockers Tested
The Transportation Safety Administration (TSA) is testing biometrically
secured public lockers at Minneapolis-St. Paul International
airport. Following the September 11th attacks, the TSA has banned all
such lockers. The lockers will require a fingerprint for rental and
retrieval of stored items.http://www.fcw.com/fcw/articles/2002...k-09-05-02.asp

--5 September 2002 OASIS Adopts New ebXML Standard
The Organization for the Advancement of Structured Information
Standards (OASIS) has announced that its members have approved and
adopted the new ebXML Messaging Service Specification Version 2.0.http://www.computerworld.com/managem...,74001,00.html

--4 & 8 September 2002 Security Specialists in Short Supply
Security experts speaking at a cybersecurity conference in Washington
D.C. expressed concern that the country is going to need many more
skilled IT workers to protect the critical infrastructure than are
presently available. The military faces shortages of skilled IT
workers because many command higher salaries in the private sector.
In a related story, cyber forensic specialists are increasingly
in demand.http://www.govexec.com/dailyfed/0902/090402td2.htmhttp://seattletimes.nwsource.com/htm...rensics08.html

--4 September 2002 Security Tool Creates "Noise" Around Wireless
Access Points
Two computer programmers have developed a tool called Fake AP that
generates 53,000 phony wireless access points around each real one.
People who may legitimately access the network will be able to
determine the actual access point. Some hackers are likely to rise
to the challenge and develop tools that test all the points quickly
to determine the real one.http://www.newscientist.com/news/news.jsp?id=ns99992760

--3 September 2002 Citibank E-Mail Campaign May Have Breached
Customer Privacy
Citibank used two outside companies to gather e-mail addresses of its
customers. The companies then sent e-mails offering the opportunity
to receive information about Citibank accounts on line. However,
some of the e-mails addresses did not belong to the Citibank customers.http://www.msnbc.com/news/802701.asp?0dm=H24BTs

--3 September 2002 Demand for Disaster Recovery and Business
Continuity Planning is Up
Companies that offer disaster recovery planning services have noticed
an increase in their business since the September 11th terrorist
attacks. Previously, many businesses had not given much thought to
such widespread catastrophe. Businesses want help drafting business
continuity plans. Plans in place had not taken into account the
possibility of a "regional disaster." Companies are reevaluating
back-up plans and increasing the distances between data centers.http://www.computerworld.com/managem...,73956,00.html

--3 September 2002 FBI Application Process Weeds Out Many Potentially
Valuable Cyber Security Workers
Although the FBI is interested in recruiting security experts for their
agency, the application process weeds out many based on their ethics,
ages and levels of physical fitness. The FBI does have civilian
employees, though employees who are not agents are "at the bottom of
the food chain." One security consultant says that even if hacker
applicants are hired, they won't be put on computer security cases
for several years.http://www.wired.com/news/politics/0,1283,54850,00.html

--3 September 2002 Are Viruses on the Decline?
Though the number of worms and viruses have grown about 50% each year
since 1990, this year, that number is expected to decline by 5%,
according to some security specialists. The reasons for the drop
could be increased penalties for (creating and spreading malware)
or increased use of anti-virus software. There is still a risk of
infection, however; researchers estimate that up to 7% of e-mail
messages contain a virus or a worm.http://europe.cnn.com/2002/BUSINESS/...rus/index.html

--3 September 2002 Security Firm Says Hacks are on the Rise
Security firm mi2g has reported more hacks in the first eight months
of 2002 than the total number of hacks reported in all of 2001.
The company also says that cyber terrorism organizations are trying
to harvest information about computer networks in the financial sector
and other targets through electronic bulletin boards.http://news.bbc.co.uk/2/hi/technology/2231205.stm

--2 & 3 September 2002 Microsoft Enhances Passport Security
Microsoft has improved the security of its Passport single sign-on
authentication technology. First, in order to establish an account,
users must submit a valid e-mail address; they will then receive an
e-mail message with links that will allow them to validate the account.
Second, it is now easier to cancel accounts that are no longer needed.http://news.com.com/2100-1001-956246.htmlhttp://www.computerworld.com/managem...,73945,00.html

--2 September 2002 Higher Ed Funding May be Tied to Security
Practices
The National Strategy to Secure Cyberspace is likely to tie state and
federal funding for colleges and universities to compliance with cyber
security rules, including the designation of a CIO for each institution
and establishing an Information Sharing and Analysis Center (ISAC)
for US institutions of higher education.http://www.eweek.com/article2/0,3959,508676,00.asp

--2 September 2002 Plan Will Establish Cybersecurity Network
Operations Center
The National Strategy to Secure Cyberspace, which will be released
September 18 at Stanford University in California, includes plans to
create a cybersecurity network operations center (NOC). Despite rumors
to the contrary, the NOC does not intend to intercept and examine
e-mail and data traffic from major ISPs and private networks.
The plan is to model the NOC after the Incident.org web site and
Internet Storm Center.http://www.computerworld.com/securit...,73922,00.html

--2 September 2002 Plan Includes Privacy Czar
The National Strategy to Secure Cyberspace is likely to include
the appointment of a "privacy czar" or chief privacy officer (CPO)
who will examine government data collection and security initiatives
and ensure that privacy is protected. The CPO would also oversee
privacy advocates at each government agency. The Czar would be in
the new Department of Homeland Security.http://www.eweek.com/article2/0,3959,503728,00.asp

Lol, M$ VP is not happy with Microsoft's security. Guess what chief? Neither are we! Anywhoo, thanks xmadd. I somehow can always count on you for always bringing this week's security news. Oh btw, Microsoft increasing it's security with passport won't help. People find flaws and whatnot and it'll take them a long time to patch those.. -- Jason Copeland

Microsoft VP Not Proud of Company's Security
Brian Valentine, senior VP in charge of the Windows development team,
told a gathering of attendees of Microsoft's Windows .Net Server
developer conference that the company has not done everything it could
to protect customers because Microsoft products are not designed
for security.

In todays security conscious market, MS is really going downhill. The .NET was supposed to be their answer to linux and unix/sun systems. To bad companies are looking for security now. If MS continues this trend we are going to see .NET not even make it out the door. I really hope Bill G knows that he is tying his own noose with this one. Maybe he should stop saving money by getting inexperienced programers strait out of college.

The passport system is eternally flawed. The on;y way they would fully secure it was to totally scrap the old programming and start all over again, of course with their effort in backwards compatibility they are once again going to shoot themselves in the foot.

Heh.....I guess next week we'll see a story on FORMER M$ VP Brian Valentine being spotted at the unemployment office in Redmond. It's refreshing to see a M$ executive's lips moving and the truth coming out as opposed to the norm, but somehow I can't picture the big kahuna appreciating it the way I do.

In August, Microsoft warned in one of eight security bulletins issued that month, that many of its customers have experienced "an increased amount of hacking," in their various Windows systems. The Redmond, Wash., company has yet to identify the root of the problem, only saying that it has noticed some major similarities between the string of hack attacks.

It looks to me like the only cause of this could be an insider exposing flaws in the systems. I think MS laid off someone and now that person is exploiting all the things he/she knows about and getting back at them.

This comment doesn't exactly sit very well. It almost sounds like they can't build a patch that will succesfully secure the os. I don't know about you but that is a major major problem. Digital espionage?

MS VP

Next Month:

M$ reports that a M$ VP was using a blank or weak password. The VP was exploited and forced to say he was upset with M$ security. In reality M$ reports that their security is extremely tight and that the VP has now reset his password and should be totally safe from further exploitation.